Determining the source of a bitcoin transaction

[vinshet]

Hi all,

I am trying to figure out the source node of a propagated transaction in the bitcoin network. My approach is to set up multiple nodes and analyze the received transactions.
Additionally, I was curious on what I need to do to connect to a bitcoin node running tor(I'm guessing I have to configure the SOCKS5 proxy). After the TOR configuration can I just add a peer with their .onion address?
I am also planning to set the maximum connections to say 1000 per node. I was told this is a bad idea because it will slow down processing at my node if I don't have enough resources, but it seems like a good way to get transactions from multiple nodes.
Any ideas and opinions will be highly appreciated.

[pooya87]

You have two challenges.
First is that majority of bitcoin full nodes (45,996 out of 51,872 according to this) don't accept incoming connections which means it is impossible for you to connect to every bitcoin node ergo you will not be able to "spy" successfully on most of the bitcoin transactions and the rest of the conclusions you make about the origin of a transaction is going to be weak at best.
For example you connect to node A that accepts incoming connections, node B doesn't but it also connects to node A. Node B sends a new tx to A and A sends it to you so you conclude the origin of the tx is node A which is wrong.

Second is the fact that even if you could connect to a large number of nodes you still can't successfully make a decisive conclusion about the origin of a transaction, I can't give you more details because I don't know them (hopefully someone else does) but I believe there are steps bitcoin core full node takes to make spying harder.

[BlackHatCoiner]

I am trying to figure out the source node of a propagated transaction in the bitcoin network.

It is impossible to know who was the first node who sent the transaction. Even if you had access to every internet provider in the world (which is also impossible), you couldn't be sure that the first one who broadcasted it is indeed the one who signed it, as there're lots of hidden services you've no insight of.

You can determine the source of a Bitcoin transaction if the user doesn't run their own node and connects to your SPV server, though. (If they don't use tor)

[garlonicon]

There is more: there are forum-based transactions, for example here, in this topic: https://bitcointalk.org/index.php?topic=5390103.msg59616324#msg59616324 (I think he did it right, because it is still unconfirmed, so it is really "intentionally slow" done right).

So, it is possible to make a transaction by joining N people, then you will never know, how many stages there were during making that transaction and who owns what. Even if you could catch the right node which was used to broadcast it, then it may turn out to be some online open source service, what then?

In the example above, vjudeu is probably the transaction maker (but you cannot be sure, you can only assume that). But, someone could receive "payment request" as a similar transaction, and then pay him for something, and push similar transaction on mainnet, instead of testnet3. Then, catching the broadcaster will tell you nothing about the original transaction creator. Also, you will never know if the broadcaster is the same person as the buyer in such case (and Taproot nicely can hide any multisig, so you will never know, how many people are hidden behind a single address).

[DannyHamilton]

There are many services like this:
https://www.viabtc.com/tools/broadcast

Which allows a transaction creator to give their signed transaction directly to a mining pool, allowing that mining pool to then broadcast the transaction to others (if the pool even wants to).

Many people, including myself, use services like this at times rather than broadcasting a transaction from our own connected node. At BEST, in situations like that, you'll only be able to tell which pool received the transaction first, but won't know anything at all about who gave the transaction to the pool. At worst, if the pool chooses not to broadcast the transaction and instead just adds it to their own block, you won't even see the transaction at all until you see it already in a block.

[odolvlobo]

This site explains the Dandelion Protocol, which is an attempt to defeat the kind of attack you are referring to.

https://blockonomi.com/dandelion-protocol/

[witcher_sense]

Many people, including myself, use services like this at times rather than broadcasting a transaction from our own connected node. At BEST, in situations like that, you'll only be able to tell which pool received the transaction first, but won't know anything at all about who gave the transaction to the pool.

I am far from being considered a privacy or security expert but what you have described seems to me less privacy-friendly than the case of broadcasting using your own node. I don't know about other broadcasting services or mining pools, but ViaBTC is terrible when it comes to the privacy of your transactions because it records every piece of information you expose to them when using their services. They also "may use or disclose your personal information in compliance with [their] Privacy Policy to provide better services." Law enforcement agencies can and will contact ViaBTC and force them to disclose from which IP, which browser, and which device a particular transaction came into being. Maybe the police won't find you right away, but certainly, they will have more information and more evidence (compared to personal nodes) to catch you and put you in jail.

https://www.viabtc.com/privacy

[vjudeu]

Maybe the police won't find you right away, but certainly, they will have more information and more evidence (compared to personal nodes) to catch you and put you in jail.

But you know that it is possible to also broadcast someone else's transaction? For example if you have a chain of zero-confirmation transactions, you need to push the first one to even get a chance of pushing others.

[witcher_sense]

But you know that it is possible to also broadcast someone else's transaction? For example if you have a chain of zero-confirmation transactions, you need to push the first one to even get a chance of pushing others.

In either case, by "outsourcing" the broadcasting of your transaction, you have to trust someone else and hope that they won't share sensitive information with someone you don't like. An intermediary itself might check the history of your transactions or find the source of your initial transaction, and decide not to do business with you, sending all the information directly to the police. If you didn't expose your real identity dealing with third parties -- good for you, but the police anyway will have some leads to try to figure out who you are.

[pooya87]

what you have described seems to me less privacy-friendly than the case of broadcasting using your own node.

That is true but the discussion isn't about privacy but to determine the source of a transaction. The point here is that users could use other means of pushing their transactions into the bitcoin network, one is using centralized third parties, another is SPV clients that connect to another node, another could be a small code that only digs DNS seeds and connects to a random node to push the transaction without running any kind of client. In all these cases the actual source is something other than the first node that relays the transaction.

[witcher_sense]

That is true but the discussion isn't about privacy but to determine the source of a transaction. The point here is that users could use other means of pushing their transactions into the bitcoin network, one is using centralized third parties, another is SPV clients that connect to another node, another could be a small code that only digs DNS seeds and connects to a random node to push the transaction without running any kind of client. In all these cases the actual source is something other than the first node that relays the transaction.

Ah, okay. I merely couldn't think of any other justifications for being eager to determine the source of the transaction other than to invade someone's privacy. That is why my first instinct was to help to preserve privacy by telling to avoid unnecessary intermediaries.

[pooya87]

I think you're referring to IP block selection where 2 or more node with same IP block (such as 23.64.X.Y) can't connect to same node. I'm sure someone discussed it in the past in this forum, but i couldn't find it.

I mainly have in mind the stuff that involve broadcasting and relaying transactions. For example I don't know if the following is just an idea or implemented but imagine if your node is connected to 10 peers and you want to broadcast your tx, it won't send it to all 10 and it will mix it with other transactions when sending it (a couple of tx payloads with others from mempool). There are also random delays nodes add to their transaction relaying, etc.

[DannyHamilton]

I am far from being considered a privacy or security expert but what you have described seems to me less privacy-friendly than the case of broadcasting using your own node. I don't know about other broadcasting services or mining pools, but ViaBTC is terrible when it comes to the privacy of your transactions because it records every piece of information you expose to them when using their services. They also "may use or disclose your personal information in compliance with [their] Privacy Policy to provide better services." Law enforcement agencies can and will contact ViaBTC and force them to disclose from which IP, which browser, and which device a particular transaction came into being. Maybe the police won't find you right away, but certainly, they will have more information and more evidence (compared to personal nodes) to catch you and put you in jail.

https://www.viabtc.com/privacy

I'm not trying to hide from the police or anyone else for that matter.

Certainly, you give up some privacy if you communicate your transaction directly to anyone (viaBTC or otherwise).

The point is that, as several people have pointed out now, it is VERY DIFFICULT to reliably determine the source of every transaction. It's possible to infer a source for many transactions (if you're willing to accept that you'll be wrong some percentage of the time), but if you are expecting to use the data collected to prove with any level of certainty that any particular transaction originated from any particular IP address, you're going to fail.

[philipma1957]

There are many services like this:
https://www.viabtc.com/tools/broadcast

Which allows a transaction creator to give their signed transaction directly to a mining pool, allowing that mining pool to then broadcast the transaction to others (if the pool even wants to).

Many people, including myself, use services like this at times rather than broadcasting a transaction from our own connected node. At BEST, in situations like that, you'll only be able to tell which pool received the transaction first, but won't know anything at all about who gave the transaction to the pool. At worst, if the pool chooses not to broadcast the transaction and instead just adds it to their own block, you won't even see the transaction at all until you see it already in a block.

This is why the op has no real shot at understanding location of the true creator of a tx.

here is another variation. I point a gpu miner to nicehash and use a fresh never used btc address as my final payment area. ten other people do this with 10 fresh btc addies.

all ten of us have decent amount of gpu miners and mine about 0.1 btc in a day

in theory nice hash will create a transaction for 1 btc total to 10 different btc addresses each one getting 0.1 btc
 so you know nicehash sent the tx but it is worthless as they sent it to 10 anonymous btc addresses

those 10 miners can further mine 0.1 btc  a day for 10 days. end result is 10 addresses with 1 btc.

then change the ten locations to 10 new addresses . and in 10 days 10 coins

so in a year the ten large miners could have 36.5 coins each  spread on 37 address.

and even though every btc coin was sent to those address from nicehash you would not know if

it was one guy with a super shit ton of hash. or 10 guys with just a ton of hash.

all you would know is nicehase paid out to 10x 37 addresses a total of 365 btc.

in fact you would not know if gpus mined the coins or asics mined the coins.

Other anonymous pools exist. so find a tx source works only some of the time.